1. Field of the Invention
The present invention relates to a method and a system for security authorisation of networked computer resources, and especially to technology for providing access control to system resources.
2. Related Art
Service system functionality usually includes a so-called resource management through which a server synchronises and manages access to one or more resources such as databases or database servers. Requests from a client are received by the server system, processed, and appropriate accesses to the resources are made. A response to the client system is then created and transmitted to the client system. This general model is applicable to many server paradigms, including online banking, order entry and tracking, e-commerce, and even electronic mail processing. Client programs typically handle user interactions, such as presenting drop down lists, menus and pages of information. Client programs also typically include functionality to request data or to initiate some data modification on behalf of a user by the server system. In many cases, a single server system is used by multiple clients simultaneously. For example, dozens or hundreds of clients can interact with a handful of services that control database access. Using such an arrangement of system and functionality, the client systems are isolated from having to know anything about the actual resource managers and resources. It needs only to have the capability to communicate and interact with the server systems, and does not have to have specific capabilities or software to communicate directly with resources. The resource manager within the server systems is often assigned the task of security and access control such that users requesting secure data from the resources may be allowed or denied access to that data.
Access control for computer-based resources, such as servers or storage spaces, can be used to prevent those outside of an organisation from accessing the resources and can also be used to limit access by internal personnel.
The classical access control has been provided through the use of access control lists (ACL), whereby users are associated with specific permissions to access or to interact with various resources. To this extent, an ACL is typically viewed as a person-by-person or group-by-group enumeration of permissions.
Whenever a permission within an ACL changes, the ACL must be recreated with the changed permission. Configuring or changing an ACL is not an easy process. This is especially the case where finely grained control over the permission levels is desired, such as when resources are arranged as a hierarchical tree of nodes. The classical role-based access control model lacks the possibility to enforce different access control constraints on individual resource instances. To overcome this problem, extensions have been made to the classical model defining roles to be sets of permissions on individual resources (resource-level role-based access control (RRBAC)). Two of the most important examples in this area are the J2EE (Java 2 Platform, Enterprise Edition) authorisation model and the so-called WebSphere™ Administration Roles which are described in U.S. Patent Application Publication No. U.S. 2003/0229623 A1. WebSphere™, a product from International Business Machines, is an application server which is available for a number of platforms, including computers from personal computers to high-end “main frames” running operating systems from Microsoft Windows NT™ to IBM's AIX™ to the open source Linux.
The J2EE authorisation model or the pure role based access control (RBAC) model do not provide instance level resource protection.
U.S. 2003/0229623 A1 describes a further role based access control model that forms a basis for the administrative roles introduced with WebSphere 5.0™. This model is not very generic and flexible.
The J2EE authorisation model together with the Java Authorisation Contract for Containers defines J2EE roles to consist of individual permission that allow either access to specific World Wide Web (WWW) content or business logic exposed by individual Java Enterprise Beans. The protection of individual resource instances is very limited. The granularity is defined by the interfaces exposed by the Java Enterprise Beans and information that can be directly met to Web Universal Resource Locators (URLs).
It would be desirable to have a more flexible system accompanied by a simplification of access control administration reducing the likelihood of administration errors.